topic Analysis ransomware in General Topicshttps://live.paloaltonetworks.com/t5/general-topics/analysis-ransomware/m-p/280512#M75855
<P>Hi,</P><P>&nbsp;</P><P>One of our servers have been infected by any kind of ransomware. We can see several files encripted. So we are seeing any evidence about the infection in the PA. The only trace that we saw in PA is that the infected server sends many dns sessions to strange domains:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AV.JPG" style="width: 573px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20852i820A24DB078243ED/image-size/large?v=1.0&amp;px=999" title="AV.JPG" alt="AV.JPG" /></span></P><P>S is there any way to prevent these external dns sessions? are these sessions related with ransomware virus?</P><P>I tried to find the ID in spyware profile in order to chenge the action from alert (current) to drop) but i cant not find it.</P><P>&nbsp;</P><P>any advice to know what it happened and solved it in future?</P><P>&nbsp;</P><P>&nbsp;</P>Thu, 01 Aug 2019 12:04:32 GMTjesuscano2019-08-01T12:04:32ZAnalysis ransomwarehttps://live.paloaltonetworks.com/t5/general-topics/analysis-ransomware/m-p/280512#M75855
<P>Hi,</P><P>&nbsp;</P><P>One of our servers have been infected by any kind of ransomware. We can see several files encripted. So we are seeing any evidence about the infection in the PA. The only trace that we saw in PA is that the infected server sends many dns sessions to strange domains:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AV.JPG" style="width: 573px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20852i820A24DB078243ED/image-size/large?v=1.0&amp;px=999" title="AV.JPG" alt="AV.JPG" /></span></P><P>S is there any way to prevent these external dns sessions? are these sessions related with ransomware virus?</P><P>I tried to find the ID in spyware profile in order to chenge the action from alert (current) to drop) but i cant not find it.</P><P>&nbsp;</P><P>any advice to know what it happened and solved it in future?</P><P>&nbsp;</P><P>&nbsp;</P>Thu, 01 Aug 2019 12:04:32 GMThttps://live.paloaltonetworks.com/t5/general-topics/analysis-ransomware/m-p/280512#M75855jesuscano2019-08-01T12:04:32ZRe: Analysis ransomwarehttps://live.paloaltonetworks.com/t5/general-topics/analysis-ransomware/m-p/280531#M75858
<P>you should enable DNS sinkhole in the antispyware profile, and if you're on PAN-OS 9.0 you can consider adding the DNS security service</P>
<P>&nbsp;</P>
<P>protectionwise it would be good to have full protection profiles (AV, TP, AS, WF, URL)&nbsp; set up on all your policies on the firewall , and traps on the endpoint to defend against 0-day</P>
<P>&nbsp;</P>
<P>you could also look into running a <A title="Best Practice Assessment" href="https://live.paloaltonetworks.com/t5/Best-Practice-Assessment-Blogs/The-Best-Practice-Assessment-BPA-tool-for-NGFW-and-Panorama/ba-p/248343" target="_blank">BPA</A> to tighten up your security posture</P>Thu, 01 Aug 2019 13:42:52 GMThttps://live.paloaltonetworks.com/t5/general-topics/analysis-ransomware/m-p/280531#M75858reaper2019-08-01T13:42:52ZRe: Analysis ransomwarehttps://live.paloaltonetworks.com/t5/general-topics/analysis-ransomware/m-p/280563#M75862
<P>To make suggestions relevant to your environment&nbsp;we'll need a lot more information about your device config (security policy and other subscription services you have and how they're configured.)</P><P>&nbsp;</P><P>That said, like&nbsp;<LI-USER uid="7608"></LI-USER>&nbsp;mentioned using the BPA to shore up your config.&nbsp; To help prevent this in the future you should make sure you're using file blocking profiles to at least track all files devices on your network are downloading from the Internet.&nbsp; You should also look into blocking file types which hosts typically have no business downloading from the Internet.(VBS for instance.)&nbsp; You can look into implementing GEO blocking which will help prevent some infections.&nbsp; Make sure you have SSL decryption deployed in your environment to help add visibility&nbsp;in your firewall to catch potentially malicious payload which is delivered via an encrypted session.</P><P>&nbsp;</P><P>Before making any changes though be sure to understand what you're looking at blocking and making sure there aren't any business processes which might be impacted from any changes you might make.</P>Thu, 01 Aug 2019 16:35:41 GMThttps://live.paloaltonetworks.com/t5/general-topics/analysis-ransomware/m-p/280563#M75862Brandon_Wertz2019-08-01T16:35:41ZRe: Analysis ransomwarehttps://live.paloaltonetworks.com/t5/general-topics/analysis-ransomware/m-p/280699#M75870
<P>Is there any way to change the default action (Alert) for "Spyware generic"? I tried to look but i cant not find it</P>Fri, 02 Aug 2019 08:10:34 GMThttps://live.paloaltonetworks.com/t5/general-topics/analysis-ransomware/m-p/280699#M75870jesuscano2019-08-02T08:10:34ZRe: Analysis ransomwarehttps://live.paloaltonetworks.com/t5/general-topics/analysis-ransomware/m-p/280944#M75891
<P>Hello,</P><P>You can set exceptions. However I would recommend using the criticallity&nbsp;as a best practice.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 601px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/20879i84FEC929AD480296/image-size/large?v=1.0&amp;px=999" title="image.png" alt="image.png" /></span></P><P>Also as described above, set up DNS sinkhole as well as wildfire. If you setup packet capture, you might only get the DNS requests. You can use a free safe DNS source such as quad9 until&nbsp;you are comfortable&nbsp;with purchasing one. This service is not a replacement for sinkhole, it is a compliment to it.</P>Fri, 02 Aug 2019 20:49:58 GMThttps://live.paloaltonetworks.com/t5/general-topics/analysis-ransomware/m-p/280944#M75891OtakarKlier2019-08-02T20:49:58Z